US advice to India: no need for complex BPO regulator, let companies handle it

Such is the feedback received from the US by the IT Act review expert committee, which is at an advanced stage of finalising its recommendations on, among other aspects, data protection.

Since the bulk of the BPO operations in India are for American companies, the committee headed by IT Secretary Brijesh Kumar may set much store by their preference to retain the existing system of self-regulation in which the Indian company is bound mainly by its contactual obligations to its foreign client.

The view from the US is that if India borrows from the European model, the bureaucracy that follows may stifle the BPO companies in a ‘‘burdensome adequacy requirement of international data transfer.’’

The European Union’s 1995 data protection directive stipulates that personal data can be transferred only to such a country which ‘‘ensures an adequate level of protection.’’ The EU directive prescribes elaborate criteria for assessing the adequacy of the level of protection and those include the rules of law enacted for that purpose.

Typical of a regulator, the supervisory authority envisaged by the EU directive is endowed with ‘‘investigative powers,’’ ‘‘effective powers of intervention’’ and ‘‘the power to engage in legal proceedings.’’

The American misgivings on the option of regulating the BPO segment is, not surprisingly, shared by India. This is evident from the proposals submitted by NASSCOM to the Brijesh Kumar committee.

Even though the review exercise had been launched last year in the wake of an obscenity scandal involving an internet-based auction site, NASSCOM was content to suggest just three changes related to the provisions on hacking and data privacy.

In a recommendation that has a direct bearing on the recent data leakage, NASSCOM pointed out that the provision in the current IT Act related to ‘‘breach of confidentiality and privacy’’ penalises only government officials and not any of the employees of the BPO company for disclosing personal data to a third party.

Thus, as a follow up to Prime Minister Manmohan Singh’s call last week to tighten the cyber laws, India is likely to finetune the existing provisions of data protection without creating a heavy-handed regulator. It is not for nothing that IT Minister Dayanidhi Maran’s immediate reaction to the data leakage was that it was essentially a matter between the companies concerned.

The self-regulation that has been going on is on the strength of outsourcing contracts which include dos and don’ts on information security management practices (employees are frisked while entering and leaving, they are not allowed to take floppies or mobiles, the extent to which they are given access to data depends on their seniority).

If the BPO company breaches any of the security obligations imposed on it by the contract, it is legally liable to its foreign client to make amends for its lapse.

If India is likely to keep off the EU model, the US is meanwhile showing signs of adopting the Indian approach of providing stringent penalties for data theft in a self-regulated environment. Responding to a series of info-heists in America, the US Congress is seized of legislative proposals meant to jail those who do not disclose data security breaches.